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(§)' 1A microcomputer which is operable in . either an internal 
program mode; 3< wherein the microcomputer functions in 
accordance .with an internally stored program, or in an external 
f ■: p.9^if?l; c'T'Ods, ^^"^'*^!p : ; JnrtfcrQcompu^er functions in 
accordance .with a program stored in a memory external to the 
micrppomputer, provides internal RAM security during the 
external program mode., The microcomputer includes an 
internal program memory for internally storing programs; a bus 
for connection to an external memory for carrying programs 
from the external program memory; a nonsecure RAM for 
storing nonsecure data; a secure RAM for storing secure data; 
a central processing unit for processing the stored data and/or 
externally provided data either in accordance with the internally 
stored programs or in accordance with programs stored in the 
external memory; and a controller for controlling interconnec- 
tions between the internal program memory, the bus, the RAMs 
and the central processing unit in accordance with the mode of 
operation of the microcomputer; wherein during the external 
program mode f the controller inhibits access to the secure 
RAM: Code for accessing the secure data stored in the secure 
RAM is contained in a program stored in the internal program 
memory. The microcomputer is ideally suited for performing 
cryptographic operations utilizing cryptographic keys stored In 
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Description 

MICROCOMPUTER WITH INTERNAL RAM SECURITY DURING EXTERNAL PROGRAM MODE 



BACKGROUND OF THE INVENTION 

. 5 . 

The present invention generally pertains to micro- * ; 

computers and is particularly directed to providing 
security for data stored in the microcomputer when 
the microcomputer is operated in an external 
program mode. 10 

A microcomputer esseritially includes an internal 
program memory for internally storing programs; a 
bus for carrying data to and from the microcom- 
puter; a random access memory (RAM) for storing 
data; a central processing unit for processing said 15 
stored data and/or data received over the bus in 
accordance with the internally stored programs; and 
a controller for controlling interconnections between 
the internal program memory, the bus, the RAM and 
the central processing unit in accordance with the 20 
mode of operation of the microcomputer. 

For microcomputers that do not have an external 
program mode, wherein the operation of the micro- 
computer is in accordance with a program stored in 
an internal memory, the security of the data stored in 25 
the internal RAM is under the control of the program 
stored in the interna! memory, and thereby security 
of such data may be assured. However, internal 
memory size is limited and may be enlarged only up 
to a certain point at which further expansion is hot 30 
economically feasible because of increased silicon 
area and cost. Thus, for many applications, a 
microcomputer having an external program mode of 
operation is preferred for economic reasons! : 

In a prior art microcomputer having ah external 35 
program mode of operation, thebus is connected to 
external memories for carrying programs from an 
external program memory and for carrying data from 
an external data memory; and the controller inter- 
connects the bus to the internal RAM during the 40 
external program mode. Thus, operation of a pnor 
art microcomputer in the external program mode - - * 
affords an intruder access to the entire internal 
RAM, whereby sensitive data (su^fi^as^aBcesS^ 
codes, authenticators, or secure variables) stored in 45 u 
the internal RAM may be accessed from outside the % 
microcomputer and thereby compromised. ^ 

SUMMARY OF THE INVENTION 

, ] ■ ' 50 

The present invention provides a microcomputer 
which, is ;operabie in either an internal program ! 
mode, wherein the microcomputer functions in 
accordance with an internally stored program, or in 
an external program mode, wherein the microcom- 55 
puter functions in accordance with a program stored 
in a memory external to the microcomputer, without 
compromising the security of data stored in a 
designated internal RAM. The microcomputer of the t 
present invention includes an internal program 60 
memory for internally storing programs; a bus for 
connection to an external memory for carrying" 
programs from the external memory; a nonsecure 



RAM for storing nonsecure data; a secure RAM for 
storing secure data; a central processing unit for 
processing the stored data and/or externally pro- 
vided data either in accordance with the internally 
stored programs or in accordance with programs 
stored in the external memory; and a controller for 
controlling interconnections between the internal 
program memory, the bus, the RAMs and the central 
processing unit" in accordance with the mode of 
operation of the microcomputer, wherein during the 
external program mode, the controller inhibits 
access to the secure RAM. Code for accessing the 
secure data stored in the secure RAM is contained 
in a program stored in the internal program memory. 

The microcomputer of the present invention is 
ideally suited for performing cryptographic oper- 
ations. For cryptographic operations, the internal 
program memory stores a program for performing 
cryptographic operations upon data; and the secure 
RAM stores cryptographic key data required for 
performing the cryptographic operations. 

Additional features of the present invention are 
described in relation . to/, the description of the 
preferred embodiment 

BRIEF DESCRIPTION OF f HE DRAWING 

The figure of the drawing is a diagram of a 
preferred embodiment of the microcomputer of the 
present invention coupled to an external program 
memory. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

Referring to the Drawing, the preferred embodi- 
ment of the microcomputer 10 of the present 
invention includes a central processing unit (CPU) 
12, an internal program memory 14, a nonsecure 
-RAM 16, a secure RAM 18; buses 20, 22, and 24 
respectively connected to ports A, B. apd C, and a 
' ^ontrailer "f he ^ntfSfle?f inBludSs a: m^mory-ac- 
; cess-and-peripheral-control unit 26, a mode control 
register 28, a port A data register 30, a port B data 
register 32; a port C data register 34[ a first tri-state 
bus driver 36 coupling the port A data register 30 to 
the port A data bus 20; a second tri-state bus driver 
38 coupling the memoiy-access-and-peripheral- 
control unit 26 to the port A data bus 20, a third 
tri-state bus driver 40 coupling the pprt B data 
register 32 to the port B data bus 22, a fourth 
tri-state bus driver 42 coupling the memory-access- 
and-peripheral-control unit 26 to the port B data bus 
22, a fifth tri-state bus driver 44 coupling the port C 
data register 34 to the port C data bus 24, and a sixth 
tri-state bus driver 46 coU^itng 5 the memory-access- 
ahd-periptie^ 26 to the port C data bus 

24. The fourth tri-state bus driver 42 is bidirectional. 
All of the other bus drivers are unidirectional and 
. transfer data onto the respective port A, B and C 
. buses 20, 22; 24 from the microcomputer 10. : 
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The mode control register 28 provides a signal on 
line 48 indicating whether the microcomputer is in an 
internal program mode or an externa} program mode 
of operation. The mode indication sjgpal.on line 48 
enables access to the secure RAM 18 during the 
internal program mode of operation and inhibits 
aQpess to the secure R/j^iyi 18 during the external 
program mode of operation. . ■■■ 

Jhe port A bus 20, is a, 2-bit control bus, which 
provides memory timing controls. The port B bus 22 
is a. multiplexed address/data bus ^ providing eight 
address bits and eight-bits of, data for bidirectional 
transfer, the port C bus 24 provides eight additional 
address bits. . ., ( . ir . ( . 

An external program memory 50. is coupled to the. 
port A, ' B, and C; buses 20, 22, and 24 of the 
microcomputer 10 by, a ,1%bit address , bus 52, an 
address Icitch 54i an i, 8-bit data", bus ^6, in address 
latch enable line 58 and a^ memory enable line 60. 

Additional input/output memory, or other periphe- 
ral deyides may share the buses 20, 22, 24 along with 
the external program^ 

address decoding arid interface circuitry. In the 
external program mode, the microcomputer 10 is, in 
effebt, a general purpose microprocessor. 
/ The CPU 1 2 receives reset and clbck signals on 
. lines, 62 and 64 respectively^ \"*V.. 

On reset, instructipnis are. fetched from the 
internal prqgrarfi memory 14; and the mode control 
tegister 28 is sSt to indicate the internal program 
mode, and thereby provides^ a ^ signal jori Hne 48 that 
enables access, to/the secure 18. Such an 
indication on line 48 also enables the bus drivers 36, 
40 and 44 to respectively transfer the contents of the 
port A data register 30 onto the port A bus 20, the 
contents of the port B data 32 register onto the port 
B bus 22, and the contents of the port C data 
register 34 onto the port C bus 24. At the same time 
the internal program mode indication on line 48 
inhibits the bus drivers 38, 42 and 46 from 
transferring data. When in the internal program 
mode, the CPU 12 has access to both the secure 
RAM 18 and the nonsecure RAM 16, as well as to all 
of the peripheral registers, including port A data 
register 30, port B data register 32, port C data N 
register 34 and, mode control register 28. 

When operating in the internal program mode, all 
instructions are executed from the internal program 
memory 14; and internal bus activity is not ac- 
cessible at the pins of the microcomputer. In the, 
Internal program mode, access to external program 
memory is not possible. 

After power-up initialization is complete, program 
control may be passed to the external program 
memory 50 by first setting the mode control register 
28 to provide an external-program-mode indication 
signal on line 48 to inhibit access to the secure RAM 
18, and then branching externally via bus drivers 38, 
42 and 46. The external-program-mode indication 
signal on line 48 also inhibits the bus drivers 36, 40 
and 44 from transferring data from the port A, B, and 
C data registers 30, 32 and 34 onto the port A, B, and 
C buses 20, 22 and 24. Program control may be 
returned to the internal program memory 14 simply 
by branching to it. 



When In the external program mode, the micro- 
computer's internal address and data buses are 
interconnected by the bus drivers 38, 42 and 46 to 
the external program memory 50, and control of the 
5 microcomputer is transferred to the external pro- 
gram memory 50. In the external program mode, 
r: access to the nonsecure RAM is allowed, while 
... access to the secure RAM 18 is inhibited. 

In, a typical operating scenario, after system reset 
10 and initialization, control is passed to the external 
; program memory 50. When data is available requir- 
ing authentication or comparison with variables 
stored in secure RAM 18, the data is written into the 
nonsecure RAM 16 and a branch is made to an entry 
15 point in the internal program memory 14. The mode 
control register 28 is then accessed to select the 
internal program mode, so that operations* using 
secure data with nonsecure data may be performed. 
Internal secure routines are executed, with the 
20 results, if any, being written into the nonsecure RAM 
16. Finally, the mode control register 28 is accessed 
to. select the external program mode^and a return is 
, made to the calling routine in the external program 
memory 50 

25 Whenever the program code provided from the 
external program memory 50 causes a switch to the 
internal program mode, any following instructions 
from the external program memory 50 are ignored, 
since the the switch to the internal program mode 

30 results in the mode control register 28 providing a 
mode indication signal on line 48 that inhibits the bus 
drivers 38, 42 and 46 from providing further access 
to the microcomputer by the external program 
memory 50. Since no device is available to place 

35 instruction data on the internal operating bus, the 
resulting value of zero is interpreted by the CPU 1 2 
as a "do nothing" instruction. The microcomputer 
program counter then increments upwards until the 
first byte of the internal program memory 14 is 

40 reached, thus returning control to the internal 
program memory 50. 

When the microcomputer 10 is adapted for 
performing cryptographic operations the programs 
stored in the internal program memory 14 contain 

45 cryptographic routines; and cryptographic keys 
and/or data required for deriving cryptographic keys 
are stored in the secure RAM 18. A "master" 
program stored in the external program memory 50 
can utilize program subroutines stored in the 

50 internal program memory 14 to provide a "slave* 
cryptographic processor. This master program may 
be made to cause such a cryptographic processor 
to encrypt and store data, authenticate a block of 
data, and/or derive a new key from a previously 

55 stored key. Initially, data to be operated on by the 
cryptographic processor is placed in the nonsecure 
RAM 16 by the master program; and then the 
program branches to the internal program memory 
16 for implementing the cryptographic processor. 

60 Cryptographic routines first enable the secure RAM 
18; then access secure data, such as cryptographic 
keys, from the secure RAM 18; next perform 
cryptographic operations on the data; and finally 
store any results of such cryptographic processing 

65 in the nonsecure RAM 16. The microcomputer 10 is . 
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then switched back to the externa! program mode to 
allow the results to be accessed from the nonsecure 
memory 16 and to allow further processing in the 
external program mode, ■ 1 

Preferably, the internal program memory 14 is a 
read-only memory (ROM): trie 'secure RAM 18 of the 
microcomputer may be provided with nohvolatility 
(CMOS with battery ' backup, or EEPROM, for 
example), the secure RAK4 1 8 of the microcomputer 
may then; be loaded with secure data at one physical 



all but properly authorized transactions are pro- 
hibited.' • ; " " -Vn' J ■'. • " 



Claims 



} T. A micrbbomputer that is operable in either 
^ aninterhal program mode, wherein 1 the micro- 
; computer functions in accordance with an 

: ' internally 1 stored program, or in an external 
program mode, wherein the microcomputer 

^ functions in accordance with a program stored 
in a memory external to the microcomputer, 
s^aid micrbcorhputer comprising 
an internal program memory for internally 
storing prog rams; ' : ' r: 
a bus for connection to an external memory for 
carrying' programs from said external program 
memory;' : " t; 

a nonsecure RAM for storing nonsecure data; 
o a secure RAM for storing Secure data ; 



10 



15 



20 



25 



30 



35 



a central processing unit for processing said 
stored data and/or externally provided data 
either in accordance with 5 said internajly stored 
programs or in accordance with programs 

v stored in saici external memory ; and 
means for controlling interconnections bet- 
ween the internal program memory, the b u s , the 
RAMs and the Central processing unit in 
accordance with the mode of operation of the 
microcomputer; ' ' ;^'* ;: s " ' 
wherein during Isaid exterhal program mode, the 
controlling means inhibits abbess to the secure 

■ RAM. " • ' 1 '"["^ ' 

2. A microcomputer according to Claim 1, 
wherein the controlling means comprise 
a mode cbhtfpl register for indicating the 
prbgrarh mode ; and • . " ; 
a bus drivbr' coUpleS to th^ 



with the bbs to receive programs car r'^ from 
the external m over the bus during only 
the external program mode. 

3. A rhicrbbompu^er according to Claim 1 , 
wherein the internal program memtity stores a 
prbgrarh for perfbrrning cryptographic ope r- 
atiohs upon data; and wherein jHe^secure RAM 
stores secure cryptographic key data required 
for performing s^id cryptograph operations. 

4. A microbompiiter 'accbrdihg to Claim 1, 
wherein the internal program memory stores a 
program containing ^bde for accessing secure 
data from the secure R^M. 



noo. M ^onie^ rn^scnq ssra^rii aflf *-i bu'^-'r. 
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